Parse Predictable Patterns Using an Anchor

The parse operator (also called the parse anchor) parses strings according to specified start and stop anchors, and then labels them as fields for use in subsequent aggregation functions in the query such as sorting, grouping, or other functions.

This topic describes how to use the parse anchor UI tool to add parsing to a query and provides details on the structure of the parse anchor operator.

parse anchor UI tool

You can use the parse anchor UI tool to highlight the message text to parse, identify parsing fields, and perform the parsing action.

To parse using the parse anchor tool:

Run a search.

In the search results, find a message with the text you want to parse.

Highlight the text, right-click, and select Parse the selected text.

The Parse Text dialog box opens and displays the text you highlighted.

Select the text for the first parsing field, and click Click to extract this value.
The text you highlighted is replaced by an asterisk (*).

In this example screenshot, GET is the parsing anchor, and the highlighted text that follows is the first parsing field.

Enter a name (no spaces) for the parsing field in the Fields area.

If you want to parse additional fields, add a comma after the field name, and repeat the parsing action. The following screenshot shows three parsed fields: url, status_code, and size (in that order). Notice that the three fields correspond to the three asterisks in the parse text.

Click Submit.
The Search page reopens to show the parse operator you just constructed added to the search.

Click Start to display the search results, which now show the parsed message.

Operator details

This section provides details on the parse anchor operator. You can create parse anchor queries using the UI tool described above, or construct your own queries using the information in this section.

In the following examples, the start_anchor is "user=" and the stop_anchor is ":", which ends the email address. The asterisk (*) is the glob representing the parsed term. The examples create a new field for each message named "user" and that field will contain the value of the email address, in this case jsmith@demo.com.

... | parse "user=*:" as user

The parse operator also allows you to extract multiple fields in one command:

Name Fields with Special Characters

You can create field names that contain special characters, for example, spaces, dashes, and backslashes or forward slashes, using the following syntax:

... | parse "<string>" as %"<field name with special characters>"

For example, this query will allow you to parse the phrase "Class ID", including the space:

... | parse "[Classification:*]" as %"Class ID"

NOTE: Special characters in field names are not permitted with Regex parsing. You must rename the field after parsing. Example: extract "\[Classification:(?<class_id>.*)\]" | class_id as %"Class ID"

Use Line Breaks as an Anchor

If your logs are delivered in a multi-line format, you may want to parse up until a line break in the message. In order to do so, use the following regular expressions as a stop anchor on the line break:

Recommended articles

Sumo Logic is the industry’s leading secure, cloud-native, machine data analytics service, delivering real-time, continuous intelligence across the entire application lifecycle and stack. More than 1,000 customers around the globe rely on Sumo Logic for the analytics and insights to build, run and secure their modern applications and cloud infrastructures.